Access controls for information systems are only as good as the policies and procedures that dictate their use. There are a few general best practices that you should follow to ensure reasonably secure access controls on information systems:

• Create a baseline for access—Build a baseline for the current access levels in the environment. This will help identify holes in access and identify which users have rights beyond their needs.
• Segregate users’ rights by their role—Developers do not need access to production databases; sales executives do not need access to the accounts receivable system.
• Automate user creation—Have prebuilt groups for the major roles in the organization so that when an employee joins or switches roles, you can modify his or her rights quickly and correctly.
• Tie access controls to the environment—Some situations, such as accessing a VPN, call for two-factor authentication. In other instances, such as accessing an intranet site, you can put lighter controls in place.
• Have a clear standard for decommissioning data storage devices—When decommissioning a storage device, which may include a hard drive, thumb drive, or digital camera, have a standard method to guarantee that data is removed from the device before disposal.